An Alberta university specializing in online distance education has been scolded for its failure to establish off-site disaster recovery facilities, six years after the provincial auditor general first told it to do so.

In 2010, Athabasca University was instructed by the auditor general to establish the facility because it is “critical to reliably providing accessible online learning to Albertans.”

It was also directed to complete and test a disaster recovery plan (DRP) “to ensure continuous services are provided in the event of a disaster.”

The latest report from the auditor general issued last week said Athabasca has done neither.

An off-site facility allows an institution to be able to recover its systems and servers with data backups not stored on-site “in the event of a disaster, accidental error, or system crash.”

“Failure to recover promptly from a disaster affecting the data centre at the main campus in Athabasca would affect the university’s ability to continue providing these services,” Alberta auditor general Merwan Saher wrote in his latest report.

Athabasca deployed a disaster recovery plan in 2008 but the auditor general found the university had not updated it or tested it since it was launched, stating that “management has concluded the university does not have the adequate monetary resources to do so.”

“We found the university had performed a risk assessment on its IT resumption capability that confirmed the university would not be able to recover its critical student IT services from a catastrophic failure at the data centre in Athabasca,” Saher wrote.

“We again repeat our recommendation given the significant risk to the university if it does not update and test its DRP capabilities.”

Athabasca University has more than 7,800 full-load equivalent students and employs more than 1,350 faculty and staff members on four Alberta campuses.

President Neil Fassina said the university takes the recommendations “incredibly serious” and have undertaken steps “towards mitigating the risks identified” by Saher.

“It’s not that the recommendations have gone unattended,” Fassina said, explaining that building a more secure system without disrupting day-to-day operations was complex as to not put the existing system at risk.

“We are at a point where we are secure. There is room for improvement but I believe we are secure and moving even more secure into the next two years.”

Fassina said they are undertaking an upgrade of their “business continuity framework” in a “lock-step manner” and were in the process of “transferring some of our legacy systems into the (new) environment.”

Saher was also critical of the university’s lack of monitoring and reporting of security violations, pointing out that management held periodic reviews of when security breaches happened, but that they were not identifying or resolving the root causes of violations of the threats.

Nor were they documenting their reviews at an application level.

“Failure to actively monitor access and security violations allows an intruder to probe for weaknesses or entry points to the university’s financial information systems,” Saher wrote.

“Access and security violations would go undetected or not be properly dealt with, causing security threats to the university’s financial applications and information resources.”

Fassina said they had “put in a number of stop-gap measures” to create system redundancies to protect against security threats and they were making progress in automating detection and prevention of data loss but a “full, robust system” was still “two years away from fruition.”

Comments

We encourage all readers to share their views on our articles and blog posts. We are committed to maintaining a lively but civil forum for discussion, so we ask you to avoid personal attacks, and please keep your comments relevant and respectful. If you encounter a comment that is abusive, click the "X" in the upper right corner of the comment box to report spam or abuse. We are using Facebook commenting. Visit our FAQ page for more information.